all about email based threats

Menu

MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “A new picture or video message [Vodafone MMS]”

The email is send from the spoofed address “”randomcharacters@vodafone.nl” on SMTP server level and appears in the mail client as “mms@mms.vodafone.nl”. This campaign targets, according to our global logs and at this moment, only clients with a .nl TLD in the email address. So this trojan is sent to internet users in The Netherlands only.

The email has the following body:

The email text (mainly in Dutch – with a spelling error):

You have received a picture message from mobile phone number +31654328751

Thanks for the updates. The virus outbreak towards .nl domains lasted for two days according to our global logs. We do not have any .se or .hu domains in our portfolio of clients but it is possible that the campaign is targeting systems in other countries and will continue to do so.

There seems to be an uproar in these mails again. Just received a bunch of them and our Spamfilter (GFI) fails to mark them as spam (which seems silly to me, i wonder how they manage to authenticate SPF for example and have managed to avoid spamlists for so long) and Virusscanner (Norman) fails to detect them as a virus. Manually setting up rules to block these mails would be recommended especially if you have a lot of clients outside your direct control.
Rather eye opening to what kind of apocalyptic useless tools a virusscanner can be when it comes to new hazards.

Same here in .NL a whole bunch in one go.AVG did not pick them up. There is a zipfile with an executable in there. On my other computer it was intercepted by zonealarm when I extraced the exe to my HDD.

I received one today in NL with 0621962622@vodafone Outlook didnt catch but Kaspersky did and put it in quarantine ( I guess) I wonder if it slows my LT down seems like it though.
After a full scan Kasperksy reported no infections.